Rule Creep

Forward As I mentioned last earlier, I have been asked about being apart of the Thwack Ambassador program and my first post went up. I am linking to it now for my readers who follow my blog and may not be aware of the post. This post is covered by my disclaimer.

In my last post I brought up the topic of the paradigm shift from physical to virtual firewalls. Our enterprises are evolving and some are accepting and others are not. The thoughts it provoked were interesting indeed. In light of this I supplement that discussion with today’s post regarding rules and the ever wonderful creep associated with change.

The use of ‘ip any any’ or something along that notion converts the best firewall into a glorified router. The use of smartly crafted rule sets is what defines a firewall. The stalwart checkpoint in which permission is applied to packets, flows are permitted or halted, and fine rule based controlled is applied.

The ability to define rules based on source and destination IP addresses and ports can give an administrator the granularity. This allows strict access control and enables compliance. Each firewall will have permissions relative to function and feature set. Depending on the setting an application may reside behind a layered firewall approach of physical DC edge and virtual at the application cluster. Slowly but surely creep does occur.

Over time applications come, serve, evolve, and they go. Applications can use a variety of communication protocols and ports, new versions invoke different methods of communication, to serve their function. Security and Firewall administrators rely heavily on application understanding. This knowledge might be personal or from a team member. This understanding allows the creation of rules and enables rule set management. As applications evolve rules change. When changes are enterprise wise these rules can lose accuracy. Sometimes applications can disappear completely and rules stay in a firewall unused. A few here and there may not matter but across many devices it slowly adds up.

With the points discussed in both posts, I pose this question to you readers. With the rapid expansion of physical and virtual firewalls how do you control your rule creep whilst maintaining your sanity and security?